Re: Domain Administrator privs on Client

OK. I understand Restricted Groups.

But I dont understand how that will help me allow domain admins and domain
administrators to be able to act as administrators of loca machines. Unless
you're telling me that the domain admins and administrators are already in a
group somewhere that I dont know about?

IE. I have an SQL server on my domain, I have to login as the local sql
administrator to do most admin task. Id rather use the domain administrator
account to do these things but it wont allow me to do it saying that various
things along the lines of "You do not have the prilvages to install this",
etc, etc....

Tim

"Roger Abell [MVP]" <mvpNoSpam@xxxxxxx> wrote in message
news:e039MpdMGHA.1488@xxxxxxxxxxxxxxxxxxxxxxx
The Enable to delegation setting is quite something else.
If you have enabled that due to this reasoning you should reverse it.
That setting lets the accounts assume the credentials of others in
cricumstances where they have the token available.
This is a potential risk if given to any principal that is not regulated.

Restricted groups is the group policy way to dictate the complete
list of members in (of the memberships of) a group.
However, be aware that this is the full list and will replace any
other memberships.

One can set a machine startup script to check that Domain Admins
is still a member of its machine local Administrators group and if not
then add it. This leaves a window of time, between restarts, when
the Administrators might be altered, whereas Restricted Groups
for a member will in default circumstances have a window of about
90 minutes max.

"Tim Guy" <tim@xxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ePpMwhXMGHA.2580@xxxxxxxxxxxxxxxxxxxxxxx
With Windows 2003 AD/Network, I can not get a domain administrator to
administor a local client / server. Only the local administrator will
work.

I always thought that the setting in windows 2000 GPOs to over come that
was "Enable Computer and User accounts to be trusted for deligation"

Doesnt seam to be on Windows 2003. What is the policy setting in a GPO to
get around this?

Cheers

Tim








.

Relevant Pages

  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • Re: script to list users and groups in domain admin and local admi
    ... >> Domain admins membership can be determined easily enough in Active ... >> using the net command and such to enumerate local administrators. ... If you want to use Restricted Groups ... >>>I am looking for a script or guidance to write a script that will list ...
    (microsoft.public.win2000.security)
  • Re: Restricted Groups Problem
    ... Just create a restricted group for administrators and assign Domain Admins ... I have since deleted the restricted groups setting in the ... > group on all XP machines as quickly as possible? ...
    (microsoft.public.win2000.group_policy)
  • Re: Settle a Administrators dispute
    ... Administrators Local Group on the DC but not in the Domain Admins ... Global Group, the users of the Global Group do not have the same ... restricted groups policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local admin group?
    ... No don't remove the domain admins group from the administrators group for ... Create a global group of users to add the local administrators ... > for the purpose of updates but I don't want them to have admin rights on ...
    (microsoft.public.win2000.security)